Task 1:
Set-up target server/workstation for Ansible playbook to perform sudo actions on workstation, and code to perform password-less sudo.
If the set-up is not correct, an error like below will result:
fatal: [hostname]: FAILED! => {
"changed": false,
"module_stderr": "sudo: a password is required\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
...
}
1. Sudo Set-up
a. Verify that the sudoers file contains the line: includedir /etc/sudoers.d.
If it has it commented out, uncomment it by removing the # comment prefix. If the line is not added, add it.
Note:
- Visudo will check the syntax and let you know if there is a syntax issue.
$ sudo visudo
...
includedir /etc/sudoers.d/
Save w/
<esc>:wq
2. Add the new sudo file:
Notes:
- Typically, touch is not required, editing a file that doesn't exist with vi/visudo will cause the file to be created and say New File on bottom left
- The file doesn't need to end in .conf. We just prefer it.
- For user to run commands for any user account and require that admin user's password, do: adminID ALL=(ALL:ALL) ALL
- For user to run commands for any user account rights, do: adminID ALL=NOPASSWD:ALL
- For user to run commands for any user and group account rights, do: adminID ALL=(ALL:ALL) NOPASSWD:ALL
$ touch /etc/sudoers.d/customaccount.conf
$ sudo visudo /etc/sudoers.d/customaccount.conf
adminID ALL=NOPASSWD:ALL
Save w/
<esc>:wq
3. Ansible Configuration for remote server
a. Edit ansible.cfg with the following updates:
$ sudo vi /etc/ansible/ansible.cfg
...
[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False
[defaults]
remote_tmp = /tmp/ansible-$USER
host_key_checking = False
sudo_user = adminID
ask_sudo_pass = False
ask_pass = False
...
Save w/
<esc>:wq
4. Playbook Code Snippet:
Notes:
- Do not use connetion:local unless the Ansible script's target is this current server/workstation.
- hosts: {{ hostsList }}
become_user: {{ adminID }}
become: true
roles:
- ...
5. Use ansible-vault create command to make an encrypted/hashed password if not performing sudo w/o password:
Notes:
- The leading . in .vault.yml makes the file a hidden one so a regular ls doesn't include it.
- There are two sets of passwords here, one for the vault, and the actual administrative user password we are using.
- To change the user password with the ansible-vault edit command, the vault password will be used in order to edit the file.
- If using git, typically we ensure to exclude vault file(s) from uploading to the git repository by adding to the .gitignore file.
a. Create the vault.yml and add the user password:
$ ansible-vault create .vault.yml
- In the prompt:
- - New Vault password: <enterReallyGoodPassPhrase>
- - Confirm New Vault password: <enterReallyGoodPassPhrase>
- Next, the normal vi editor window will open, and you should add your list of variables.
ansible_become_password: userPassword
Save w/
<esc>:wq
b. Add the vault.yml to the .gitignore
$ echo 'vault.yml' >> .gitignore
Notes:
- To use this vault file on the command line: ansible --vault-password-file=.vault.yml ...
- To use this vault file as an environmental variable: export ANSIBLE_VAULT_PASSWORD_FILE=./.vault.yml
- To use this vault file automatically with Ansible playbooks, edit the ansible.cfg file, under the [defaults] section, the line: vault_password_file=./.vault.yml
previous page
|